Microsoft 365 Spam Filter – How to secure your email communication in the cloud

Does Microsoft already provide sufficient security?

Many companies are currently introducing Microsoft 365 as a cloud solution and part of their digital transformation. Microsoft is also addressing the issue of security with Microsoft Defender for Office 365 and Exchange Online Protection (EOP). However, the associated slogan that no further security solutions are required for email security is not borne out in reality. This is also underscored by statements from leading Microsoft employees.

Terry Zink, who was responsible at Microsoft for implementing the sender reputation standards for Microsoft 365 and all Microsoft’s own email services, put it this way: “Therefore, to get the fullest protection possible, I recommend relying upon the 3rd party service, and then maybe or maybe not doing double-filtering in EOP (accepting the fact that there will be false positives and false negatives). But, don’t just rely on EOP.”

This makes it clear that complementary security products will be needed for the unforeseeable future. This is confirmed by the fact that features such as S/MIME-based, organization-enabled email encryption, granularly configurable security policies, intelligent and learning algorithms, content disarming, and the ability to flexibly create a wide variety of email signatures across the enterprise are not covered by Microsoft’s offerings.

This article examines which requirements are met by Microsoft’s own products – and how you can further optimize your Microsoft 365 Mail Security with a complementary security product like NoSpamProxy.

The basis for digital transformation: Microsoft 365

With services and apps such as Microsoft 365, Outlook, Exchange Online, Teams, SharePoint or OneNote, Microsoft has positioned itself perfectly to offer companies an ideal basis for digital transformation. More and more companies are using these tools to make the workplace of the future a reality. The central working tool for employees is Microsoft 365, i.e. the combination of various cloud services for collaboration, security and compliance, mobility as well as intelligence and analytics. For many companies, the aspect of email security in particular is crucial when using Microsoft 365 products.

Exchange Online Protection

With Exchange Online Protection (EOP), Microsoft offers its customers an integrated email security service. EOP is included with Exchange Online and any Microsoft 365 subscription that includes Exchange Online. EOP is an email filtering service that provides protection against spam and malware and can be deployed cloud-based, in a hybrid scenario, or as a stand-alone solution (for on-premises mailboxes).

Spam for Microsoft 365 emails

All functionalities of the spam filter in EOP are summarized under the term anti-spam. The filter checks certain characteristics of inbound emails for typical characteristics of spam. The filtering options are customizable, as are the notification options for users.

The spam filter is a combination of connection and content filtering. If an email is detected as spam, it ends up in the individual user’s junk folder by default. Spam protection for inbound emails is enabled by default.

EOP also provides spam filtering for outbound emails, which is also enabled by default, and outbound spam protection also consists of a combination of connection and content filtering. However, the settings for the outgoing filter cannot be configured. If an outbound email is classified as spam, it is marked as “risky delivery” in the system. This prevents harmless IP addresses from being added to a block list. Outbound spam filtering cannot be disabled or changed, but you can configure various company-wide spam settings through the default outbound spam policy.

The so-called spoof intelligence in EOP is used to defend against spoofing attacks. Spoofing is when criminals use email addresses of users within your organizational domain and impersonate them. To defend against spoofing, EOP checks the From headers of inbound emails as well as the authentication entries for SPF, DKIM and DMARC. However, the email is not rejected directly, but either moved to the junk mail folder or marked accordingly.

Protection against malware

Several anti-malware systems work in EOP, checking emails for viruses and spyware. As soon as malware is found in an email, the email is deleted and the administrator is notified. In addition, infected attachments can be replaced with a customizable message. It is also possible to configure the filtering and further processing of attachments in more detail through settings in the transport rules.

Microsoft Defender for Office 365

As a paid add-on option to EOP, Microsoft offers Defender for Office 365. It provides protection against phishing attacks, zero-day attacks, malicious links and contaminated email attachments.

Safe Links

This service checks URLs in emails and Office documents – after comparison against existing allow or block lists – at the time they are clicked to determine whether the targets of the links are harmless. Accordingly, the links are then classified as blocked, malicious or safe. If the URL is considered safe, it is opened.

Safe Attachments 

If configured accordingly, Safe Attachments scans email attachments and files in SharePoint, OneDrive and Teams for malicious content. This is done by scanning and classifying files in a virtual environment. Email attachments classified as malicious are automatically removed; malicious files on SharePoint, OneDrive or in Teams are blocked.

EOP and Microsoft Defender for Office 365: Risks and weaknesses.

However, the integrated protection functions in Microsoft 365 also have shortcomings. One example is the management of the quarantine folder: A maximum of 500 emails can be displayed at all, and only after the emails have been previously classified into categories such as spam, malware, phishing, etc. In addition, emails in quarantine are automatically and irrevocably deleted after 30 days. The potential problems that can arise from this behavior are manifold, for example, when incorrectly classified emails containing important information disappear unnoticed.

Other vulnerabilities relate to the management of emails and mailboxes, among other things: There is no simple method in Microsoft 365 to remove emails across multiple mailboxes – for example, if they have mistakenly passed through the configured filters. Also, emails that are in individual users’ spam folders can still be opened in the basic configuration of EOP, and the malicious links can still be clicked. This means that even after the inbound emails have been filtered, there is still a danger – namely, due to the ignorance of the users.

One last example: Microsoft Defender for Office 365 does not provide an Allowlist or any other built-in way to mark certain domains as questionable or harmless.

Optimize email security in Microsoft 365 with NoSpamProxy

Microsoft offers with Exchange Online Protection and Advanced Threat Protection a quite powerful package for protection against spam and malware. However, the requirements for modern communication are particularly high nowadays: effective real-time protection against any kind of malicious code, reliable communication with partners as well as clarity and transparency are increasingly required. With NoSpamProxy, all this can be realized – flexibly, scalably and with integrated email encryption.

Reliable and simple

The Level of Trust system in NoSpamProxy learns with whom you or employees of your company communicate. It is a multi-layered system that assesses the trustworthiness of a communication relationship or domain. “Trust” must be earned by a sender. A reliable and persistent connection history is critical. The system evaluates various criteria, including sender addresses and checksums, but most importantly, it also evaluates the address relationships between senders and recipients of emails, as well as the relation of the sender, subject and domain of the recipient.

With message tracking, the processing of each individual email can be traced quickly and in detail at any time. Administrators thus have a complete overview of incoming and outgoing email communication in the company at all times. Full transparency at the click of a mouse – or PowerShell, because automation and administration is also possible in NoSpamProxy via the command line.

The spam filter in NoSpamProxy is also transparent because there is no quarantine: Reject instead of sort is the approach, which prevents emails from getting lost in confusing quarantine folders. If emails are rejected, “real” senders are of course informed about the non-delivery.

Content Disarm and Reconstruction 

NoSpamProxy automatically converts attachments in Word, Excel or PDF format into non-critical PDF files based on rules. In this way, potentially existing malicious code is eliminated and the recipient is sent a guaranteed harmless attachment. If configured, the PDF document contains a preview page with individual information about the reason for the conversion and, if required, a link to the original document.

Automatically rewrite dangerous URLs

The URL Safeguard prevents access to malicious content reached via links. It first checks the links in inbound emails against entries of different allowlists; if the domain contained in the link is not present in any of the lists, NoSpamProxy replaces the original link with a link pointing to the NoSpamProxy Web Portal. In these cases, the email delivered to the recipient contains only the rewritten link.

On the Web Portal, the links are then evaluated at the time of click (time of click). If the link is classified as harmless, access to the original URL is permitted and executed. If the link is classified as dangerous, access is prevented.

With the help of the level-of-trust concept of NoSpamProxy, the URL Safeguard can, for example, only be activated for URLs in emails from unknown communication partners.

Encryption integrated – directly from Microsoft Outlook

Encrypted communication is a prerequisite for contract awards and legal security in many industries – and also the basis for data protection and EU-DSGVO-compliant data exchange. NoSpamProxy offers S/MIME and PGP encryption at the push of a button, and takes over the management of keys and certificates for you.

Conclusion

With Microsoft Defender for Office 365 and EOP, Microsoft offers email security modules that provide basic protection, but offer companies only a few customization options. This one-size-fits-all approach leaves it up to Microsoft to decide, for example, whether a newsletter is of interest to a corporate user or ends up in the spam folder. With NoSpamProxy, you optimize your Microsoft 365 email security and guarantee security, transparency and simplicity. NoSpamProxy is protection against spam and malware as well as secure email encryption for your Microsoft 365 emails – scalable, reliable and Made in Germany.